A MODIFICATXON OF A BROKEN PUBLIC-KEY CIPHER John J. Cade 24 Clnn Rd. Winchester, MA 01890 Abstract A possible public-key cipher is described and its security agalnst various cryptanalytic attacks is considered. 1. Introduction In this paper, we describe a possible public-key cipher. It 1s a modification of the public-key cipher that was proposed by the author [2] in April 1985, was broken by Berkovlts [l] in August 1985, and was broken independently by James, Lid?., and Nlederreiter 131 in October 1985. This modified cipher, like the original, is a block substitution cipher that operates on binary messages. With this cipher, for a suit- ably large value of n, n-blocks of binary digits are identified with elements of the finite field GF( 2"), and elements of GF( 2") are enci- phered by means of a permutation of GP(2") whose public description Is as a polynomial function on GF(2n) which has a very high degree but only a few terms. we consider several possible cryptanalytic attacks against the cipher. The most obvious attack consists of solving the polynomial equations of high degree over GF( 2") which relate corresponding n-blocks of plaintext and ciphertext. Another possible attack consists of solv- ing the system of polynomial equations of high degree over GF(2") that expresses the public key for the enciphering permutation in terms of secret trapdoor Information about this permutation. A.M. Odlyzko (Ed.): Advances in Cryptology - CRYPT0 '86, LNCS 263, pp. 64-83, 1987. 0 Springer-Verlag Berlin Heidelberg 1987
20
Embed
131...broken independently by James, Lid?., and Nlederreiter 131 in October 1985. This modified cipher, like the original, is a block substitution cipher that operates on binary messages.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
A MODIFICATXON OF A BROKEN PUBLIC-KEY CIPHER
John J. Cade 2 4 Clnn Rd.
Winchester, MA 01890
Abstract
A poss ib le publ ic-key c iphe r is descr ibed and i t s s e c u r i t y a g a l n s t
var ious c r y p t a n a l y t i c a t t a c k s is considered.
1. In t roduc t ion
I n t h i s paper , we desc r ibe a poss ib le public-key cipher . I t 1s a
modif icat ion of the publ ic-key c ipher t h a t was proposed by t h e a u t h o r
[2] i n Apri l 1985, was broken by Berkovl ts [l] i n August 1985, and was
broken independent ly by James, Lid?., and Nleder re i te r 131 i n October
1985.
This modified c i p h e r , l i k e the o r i g i n a l , i s a block s u b s t i t u t i o n
cipher t h a t o p e r a t e s on b inary messages. With t h i s c ipher , for a s u i t -
a b l y l a r g e value of n, n-blocks of binary d i g i t s a re i d e n t i f i e d w i t h
elements of the f i n i t e f i e l d GF( 2"), and elements of GF( 2") a r e enc i -
phered by means of a permutat ion of GP(2") whose publ ic d e s c r i p t i o n Is
a s a polynomial f u n c t i o n on GF(2n) which has a very high degree but
only a few terms.
we cons ider s e v e r a l poss ib l e c ryp tana ly t i c a t t a c k s aga ins t the
cipher. The most obvious a t t a c k c o n s i s t s of solving the polynomial
equations of h igh degree over GF( 2") which r e l a t e corresponding n-blocks
of p l a i n t e x t and c i p h e r t e x t . Another poss ib le a t t a c k c o n s i s t s of so lv-
ing the system of polynomial equat ions of high degree over GF(2") t h a t
expresses the pub l i c key f o r the enciphering permutation i n terms of
s ec re t t rapdoor Information about t h i s permutation.
A.M. Odlyzko (Ed.): Advances in Cryptology - CRYPT0 '86, LNCS 263, pp. 64-83, 1987. 0 Springer-Verlag Berlin Heidelberg 1987
65
For each c ryp tana ly t i c a t t a c k t h a t we consider, vie give an est l -
mate of the amount of computation required a s a function of the c i -
pher 's block-length n. The est imates f o r a l l but one of the attacks
a re based on f a i r l y comDlete and sa t i s fy ing analyses of the a t t a c k s i n
question. Unfortunatley, however, for the a t tack by solving the system
of equations t h a t expresses the publlc key i n terms of trapdoor lnfor-
mation, the e s t ima te is based only on ind i r ec t evidence obtained by an
ana lys i s of a s l m D l e r r e l a t e d system of equations. This a t t ack w i l l
require fu r the r study, perhaps with the a id of a computer a lgebra sys-
tem. On the basis of the est imates of the amounts of computation re-
quired by the var ious c ryp tana ly t i c a t t acks , it appears t h a t the cipher
provides adequate s e c u r i t y with a block-length of n 2 150. This paper is organized a s follows. I n section 2 below, we de-
scribe our modified cipher. I n sect ion 3, we prove tha t the enclpher-
lng and deciphering permutations used i n the cipher are indeed mutually
inverse permutations. I n sec t ions 4 - 6, we describe various methods
of cryptanalyzing the cipher and we estimate the amounts of Computation
required by these methods. F ina l ly , In section 7, we summarize these
estimates and use them t o determine a sui table block-length f o r t he
cipher.
2 . Description Of the ClDher
O u r cipher i s designed t o encipher binary messages. Each such
message is encibhered one n-block a t a time, for a specified block-
length n, by s u b s t i t u t i n g f o r each plaintext n-block I a corresponding
ciphertext n-block y which is g i w n by y = P ( x ) , where P Is a Certain
kind of permutatlon of the set of a l l binary n-blooks.
Because of the p a r t i c u l a r form of the enciphering permutations
used i n the cipher , the block-length n must be an integer f o r which
there e x i s t i n t e g e r s 6, Y, and /3 such tha t n = 2 8 and 6 = 2y = 38- Note t h a t an i n t e g e r n s a t i s f i e s t h i s requirement I f and only If n Is
66
a multiple of 12. I n the following, n, 8, y, and are understood t o
be a s ju s t described.
For the operat ion of t he cipher, the s e t of a l l binary n-blocks
must be Iden t i f i ed i n some specif ied way with. the f i n i t e f i e l d GF(2").
Tbsn the public d e s c r i p t i o n of the enciphering permutation P c o n s i s t s
of a 16-tem polynomial formula f o r P having the form
The c o e f f i c i e n t s Pgh in t h i s formula are publicly revealed elements of
GF(2") which c o n s t i t u t e the public key f o r P.
Although P is a polynomial function of very high degree, P( x) can
nevertheless be computed q u i t e e f f i c i e n t l y for each x E GP(2").
way t o do t h i s is t o use formula ( 2 . 1 ) wri t ten i n the form
O m
and t o compute the powers of x of
by doing k successive squarings.
t o t a l of jus t (11/12 In squarings,
i n GF(P).
k the form 2 spearing i n t h i s formula
Computing P(x) t h i s way r e q u i r e s a
2 0 multiplications, and 15 add i t ions
P(x) can ba computed even more e f f i c i e n t l y by using m a t r i X - V e C t O r
mult lpl lcat ion to compute var ious quan t l t i e s which a re the values of
l i n e a r funct ions on GF( 2"), where GP( 2") is regarded a s a vector space
over Its amallest sub f i e ld GF(2). To compute P(x) t h i s way, first
compute the q u a n t i t i e s uo, .. . , u3 and vl, Vz1 v3 given by
% = & Pgh x ? ~ ~ + ' , f o r h = 0, ..., S=
and vh = x2Yh, t o r h = 1, 2 , 3. Each of these quan t i t i e s l a a GP(2)-
l i n e a r funct ion of I, and so can be computed by doing a s ingle matrix-
vector mul t ip l i ca t ion involving an n x n matrix over GF(2) and an n-
element w c t o r over GF( 2 ) . Then compute P( x) by using the formula
67
Computing P(x) t h i s way r e q u i r e s a t o t a l of j u s t 7 matrix-vector multi-
p l i ca t ions over GF( 21, together with 4 multiplications and 3 a d d i t i o n s
i n GF( 2").
For the cons t ruc t ion of enciphering permutations, GF(2") and Its
subfield GF(2') are regarded as vector spaces, of dimensions 4 and 2
respect ively, over t h e i r common subfield CP(2y).
phering permutation, one f i r s t chooses a t random two secret bases al,
...* a4 and bl* ..., b4 of GF(2") over GP(2y).
basis el , e2 of GF(26) over GP(2y).
s ec re t and can be chosen t o be whatever is most convenient. The se-
quence a l , ..., 84' bl, ..., b4, e l , e2 formed by these three bases
aons t i t u t e s secret trapdoor Information about an enciphering pennuta-
t i on P t h a t i s s p e c i f i e d by t h i s sequence. We rill c a l l t h i s sequence
a trapdoor sequence f o r the permutation P.
To construct an enci-
One also chooses a
This last basis need not be kept
This permutation Is constructed as follows. F l r s t , l e t 91 and S2
be the GF(2?r)-llnear func t ions from GF(26) Into GF(2") such t h a t S,(ej)
= a J and 3 ( e ) = aj+2, for j = 1, 2. Next, l e t T I and T2 be t he GF(2
l i n e a r funct ions from GF(2n) i n t o GF(2&) such that
Y
2 3
f o r j = 1, 2
Ti(bJ) = { e J ' 0, f o r j = 3 , 4
and
Tz (bJ ) = 0, f o r j = 1, 2 i CJ-2' for j = 3, 4.
6 Final ly , l e t M be the permutation of CP(2') given by
(2.2) M(X) = X2 +'. Then the enciphering permutation P specified by the trapdoor sequence
a l , ..., a4* bl, ..., b4, e l * e2 Is the function from GF(2") i n t o
CP( 2") given by
P(x) = S1MT1(I) + S2MT7( X). ( 2 . 3 )
68
Here and in the following, we denote the composition OZ two or more
functions by the juxtaposition of their symbols. Thus, for i = 1, 2,
SlHTi(X) = Si~MoTi(x) = SI(M(Tl(X))).
we note that the enciphering permutation P just described does
not determine a unique trapdoor sequence whiah specifies it. Indeed,
It can be shown that for each enciphering permutation, there are a very
large number of trapdoor sequences which specify it.
For the public description of the enciphering permutation P de-
scribed above, P must be expressed as a polynomial function. To do
this, first the functions Si and Ti are expressed as polynomial func-
tions. The functions Si are given by the polynomial formulas
(2.4) Si(x) = al0x + allx 2 y , where the coefficients aik are the elements of CF(2") uniquely deter- .
mined by the system of linear equations
aioej + aiiej zY = si(ej), for j = 1, 2.
The functions Ti are given by the polynomial formulas
where the coefficients bik are the elements of GF(2") uniquely deter-
mined by the system of linear equations
Once the elements aik and bik have been determined, the enciphering
permutation P Is given by the polynomial formula
efflcients Pgh are given by
where bl,-l = bi,3, for I = I, 2.
(2.1), where the co-
We note that this polynomial formula for P can be derived by sub-
stituting the polynomial formulas (2.41, (2.51, and (2.2) for the func-
tions .Sl, Ti, and k! into formula ( 2 . 3 ) and expanding the resulting
69
erpression f o r P ( x ) as a polynomial i n I, taking Into account t h a t re-
peated squarings are automorphlsma of GF(2"), and using the i d e n t i t y
3" = x t o reduce the degree of t h i s polynomial t o l e s s than 2". we
alao note that the c a e f f i c i e n t s alk and bik in the polynomial formulas
(2.4) and ( 2 . 5 ) f o r the funct ions S1 and Ti m u s t be kept s e c r e t because
a trapdoor sequence f o r P can be computed from them qui te easily.
To decipher a message which has been enciphered us ing the enc i -
phering permutation P, each ciphertext n-block y is replaced b y the
corresponding p l a i n t e x t n-block x which is given by x = P ' l ( y ) , where
P - l is the Inverse of the permutation P. To obtain a formula f o r the
deciphering permutatlon P'l, one must know a trapdoor sequence al, ..., a4, bl, ..., b4, el, e2 f o r p .
t h i s trapdoor sequence as follows.
functions from GP(2') i n t o GF(zn) such that Ul(ej) = bJ and U 2 ( e j ) =
The permutatlon P'l 1s spec i f i ed by
Let U1 and U2 be the G F ( 21()-linear
Y f o r j = 1, 2. Let V1 and V2 be the CF(2 )-l lnear funct ions from bj+2 CF(2") i n t o GF(2') such t h a t
V l ( a j ) = ej, for j = 1, 2 I 0 , for 3 = 3, 4
and
V 2 ( a j ) = 0, f a r j = 1, 2 1 eS-2, for j = 3, 4.
Final ly , l e t M-' be the inverse of the permutation M of GF(2'}, which
means t h a t M'' i s given by
M ' ~ ( , Y ) = yE, (2.7)
where E = 2@-1(228 + 2@ - 1). Then the deciphering permutation P" 1s
given by
P'l(Y) = U I H - l V l ( Y ) + U2M"V2(y) ,
Like the func t ions % and T i , the functions Ui and Vi can be ex-
pressed as polynomial funct ions.
polynomlal formulas
The functions Ui are given by the
70
where the c o e f f i c i e n t s Cik a r e the elements of GF(2") Uniquely d e t e r -
mined by the system of l inear equations cioej + ci le j 2"/ = v1(e j ) , f o r j = 1, 2.
T h e functions Vi are given by the polynomial formulas
(2.10)
where the o o e f f i c i e n t s dik are the elements of GP(2") uniquely d e t e r -
mined by the s y s t e m of linear equations
T h e coe f f l c i en t s cik and dik in the polynomial formulas ( 2 . 9 ) and
(2 .10 ) f o r the func t ions Ui and Vi can be regarded as a sec re t private
key f o r the deciphering permutation P- l .
P"(y) can be computed f o r each Y E GF(2") by using formula (2 .8)
together r l t h the polynomial formulas (2 .91 , (2.101, and (2.7) f o r the
functions U i , Vi , and M-'. An e f f i c i e n t way of doing t h i s l a based on
the following formula :
where dl ,-1 = d i , 3 and ol = n/12.
t h i s formula, first compute the q u a n t i t i e s z1 and z2 given by zi =
M - l V l ( ~ ) by using the above formula and computing the powers of y of
the form y2
Then comDute the q u a n t i t i e s U i ( z i ) by using the polynomial formulas
( 2 . 9 ) fo r the func t iQns Ul and again computing powers of the zi by re-
peated squarlng. F i n a l l y , compute p-'( Y) by adding U1( zl) and U2( z 2 ) .
computing P-'( y ) t h i s nay r equ i r e s a t o t a l of just (3/2)n - 1 squarings,
30 m u l t l p l i c a t i ~ n s , 2 d i v i s i o n s , and 21 addltions i n GF(2").
To compute P - l ( y ) e f f i c i e n t l y using
k appearing i n t h i s formula by doing k successive squarings.
P"(y) can ke cqmputed even more e f f i c i e n t l y by making use of
71
matrix-vector m u l t i p l i c a t i o n . To compute P - l ( 9) t h i s way, first com-
pute the q u a n t i t i e s ti, ui, and vi for I = 1, 2 , where these q u a n t i t i e s 26 -1 , and v i = V i ( Y ) are given by ti = V , ( Y ) ~ ~ ~ - ~ , ui = v I ( y ) 228-1
Each of these q u a n t i t i e s I6 a GF(2)-linear function of y, and so can
be computed by doing a s i n g l e matrix-vector multiplication over GF(2).
Next, compute the q u a n t i t i e s w1 and w2 given by w1 = M'lVl(s) =
tluI/vI.
Ui(wi) Is a GF(2)- l inear funct ion of wi , and so can be computed by
doing a s ingle matrlx-vector mult lpl icat lon over GF( 2 ) . Fina l ly , com-
pute P"( y ) by addlng U 1 ( w l ) and U 2 ( v r 2 ) .
requires a t o t a l of j u s t 8 matrix-vector multlpllcations over GF( 2) , together with 7 m u l t i p l i c a t i o n s , 2 divisions, and 1 addi t ion I n GF(2").
For the s e c u r i t y of the cipher, the trapdoor sequences used should
Then compute U 1 ( w l ) and U 2 ( w 2 ) . For each I , the q u a n t i t y
Computing P"( Y) t h i s r a y
be such t h a t a l l the c o e f f i c i e n t s pgh, aik, blk, elk, and dik In t he
polynomial formulas (2.11, (2.41, (2 .51, (2.91, and (2.10) f o r t he
functions P , Sl, T i , Ul, and Vi are nonzero. Y
I t can be shown that,
given any basis el, e2 of ~ ~ ( 2 s ) over GF(2 1, i f elements a l , ..., a49
bl, . . . , b4 are chosen a t random from GF( 2"), then it is v i r t u a l l y
ce r t a in t h a t a l , ..., a 4 and bl, ..., b4 will both form bases of GF(Zn)
over GP(ZT) and t h a t the sequence a l , ..., a4, bl, ..., b4, el, e2 w i l l
form a trapdoor sequence t h a t s a t l s f l e s the securi ty requirements j u s t
stated.
3. I n v e r t i b i l i t y of the enciphering and deciphering permutations
We now show t h a t the enciphering and deciphering permutations
given by formulas ( 2 . 3 ) and (2.8), respectively, are indeed mutually
Inverse permutations of GF( 2").
Since the i n ~ ~ t l b i l i t y of these functions depends on the lnve r t -
i b i l i t y of the funct ion M given by formula ( 2 . 2 1 , we f i r s t i n d i c a t e
why t h i s funct ion is a permutation of GF(2 ) and why M" is given by
formula (2.7) .
8
U s i n g the Euclidean algorithm and the r e l a t i o n 6 = 3g,
72
it can be ca lcu la t ed t h a t g ~ d ( 2 ~ - 1, 2g + 1) = 1.
numbers 6 s a t i s f y i n g the congruence ( 2 8 + 1 ) E C 1 mod(2' - 1).
any WsitLve s o l u t i o n of t h i s congruence, then it follows from the
i d e n t i t y x2
M( I)' =
GF(26), and M-' is given by M"(y) = ye, where E is any pos i t i ve solu-
t i on of the above congruence. I t follows that U - l is given by formula
(2.7) provided t h a t the number E appearing i n t h i s formula satisfies
the condition just given. The Euclidean algorithm oalculat ions men-
tioned above can be used t o f ind a l l the solutions of the Congruence
above. Of these s o l u t i o n s , the least posit ive one is exact ly the num-
ber E = 2@-1(22g + 2@ - 1) appearing i n formula (2.7).
indeed given by formula (2.7) .
Hence the re ex i s t
If E 1s
6 = 1, which is s a t i s f i e d by a l l nonzero x E GF(2'1, that
= x f o r a l l x E GF(2'). Thus U is a permutation of
Thus I4-l 1s
P m ~ o s i t l o n . The enclnhering function P given by formula (2.3
is a permutation of GF(2") and the inverse of t h i s pennutation is the
deciphering func t ion given by formula (2.8).
Proof. L e t Q denote t h e function on CF(2n) defined by formula
(2.8). To prove the proposi t ion, it suff ices t o show t h a t QP(r) = x
fo r a l l x EGF(P). Let al, ..., a4, bl, ..., b4, el, e2 be a t r ap - Y door sequence f o r P t h a t s p e c i f i e s the GF(2 ) - l inear functions Si, Ti,
U i , and Vi appearing i n formulas (2.3) and (2.8).
the G F ( 2 Y ) - m b s ~ c e s of GF(2") spanned by bi, b2 and by b3, b4, respect-
i v s l y , and l e t YI and Y2 be the GF(2y)-subspaces of GF(2") spanned by
al, a2 and by a3, a4, respect ively. Then GP(2") = X1 Q X2 = Y l @ YE.
Now suppose that I E CF(2n) I s given, and l e t x1 and x2 be the Unique
elements of X1 and X2, r e spec t ive ly , such that x = xl + x2.
Let X1 and $ be
Then, for
1 = 1, 2,
TI(^:) = T i ( ? + 3 ) T i ( 3 1 + T I ( ] c ~ ) = T i ( % ) ,
where the l as t e q u a l i t y holds because T1(+) = T2(X1) = 0 by the def-
i n i t i o n of the func t ions Ti. Also Ti maps Xi one-to-one onto GF( 2 ) , 6
73
M Is a permutation of GF(2'1, and Si maps GF(2 6 1 one-to-one onto Yl,
so SiMT1 maps Xi one-to-one onto Yi .
have P ( x ) = yl + y2,- with y1 E Yl.
t ha t , f o r I = 1, 2,
Thus, l e t t i n g yi = SiHTl( q), we Next, t o compute Q,P(X). w e note
V I P W = V I ( Y 1 + 9 2 ) = V l ( Y 1 ) + V i ( Y 2 ) * V 1 ( Y i ) ,
where the las t e q u a l i t y holds because V1(Y2) = V2(Y1) = 0 by the def-
i n i t i o n of the func t ions Vi. Hence
W ( X) = UIM-lVl( Y1) + U2M-lV2( Y 2 )
= UIM-lVISIMTl ( Xl ) + U2M"V2S2MT~( 9 ) . A l s o both VISi and M'lM a r e the i d e n t i t y map on GP(2'), and UiTi is
the I d e n t i t y map on Xi, SO UIM'lVISIMTI(~I) = xl.
x €GF(2"), Q P ( x ) = x1 + 5 = X.
and P" = Q. Q.E.D.
Hence, f o r a l l
Thus P is a permutation of G P ( 2"),
4. Crntanalysis by so lv ing the equation P(x) = Y
I n t h i s s e c t i o n and the next two sections, vie describe some pos-
s i b l e methods of c r y ~ t a n a l y z i n g our cipher by using public information
about the enciphering permutation. For each method t h a t we consider ,
we give an est imate of t he amount of computation needed.
The f i r s t c r y b t a n a l y t l c a t t ack tha t we consider cons i s t s of solv-
ing a given c i b h e r t e x t message, enciphered using a known enciphering
permutation P I by so lv ing the equation P ( x ) = y f o r each c iphe r t ex t
n-block y t o f i n d t h e corresponding plaintext n-block x. We consider
two methods of so lv ing the equation P(x) = y. The first method is an
exhaustive search procedure, while the seoond method I s a lgebra i c i n
nature.
The exhaustive search procedure that we consider f o r aolving the
equation P(x) = y depends on the eas i ly proved Iden t i ty P(wz) =
M(w)P( z ) , which holds for a l l w E CP(2y) and z E GF(2").
t h i s i d e n t i t y , i f a n o n ~ e r o z E GF(2") can be found such t h a t
y/p( z ) E CP( Zy), then t h e desired n-block I such t h a t P(X) = 9 1s given
I n vier of
74
by x = E- l (y /P ( z ) ) z .
scribed i f and only I f ( ~ / P ( Z ) ) ~ ~ = y / P ( z ) .
found by an exhaustive search i n which elements of GF(2") are t e s t e d
one-by-one un t i l one Is found t h a t s a t l s f i e s t h i s l a s t condition. A
minimal subset of G F ( P ) t h a t is cer ta in to contain an element z of
the desired kind contains exac t ly one element of each d i f f e r e n t subset
of GF( 2") of the form $ w t : w E GF( 2y), I f 01, where t is a nonzero
element of GF(2"). There a r e approximately 2(3/4)n such subsets of
GF(Zn), so the des i r ed element z can be found a f t e r a t most 2(3 /4)n
t r i a l s . We w i l l regard each t r i a l needed t o find t h i s element z as a
single operation. Then I t f3llows that a t most approximately 2(3 /4)n
operations a re required t o solve the equation P(x) = y by the exhaust-
i v e search procedure j u s t described.
A non7ero z E GF(2") has the property j u s t de-
Such an element z can be
The second method t h a t we consider for solving the equation P(x1
= 9 Is t o regard t h i s equat ion a s a polynomial equation in x and t o
solve t h i s equat ion a lgeb ra i ca l ly . I t appears t h e t the most e f f i c i e n t
way of doing t h i s is t o use the Euclidean algorithm t o compute the
polynomial In x which is t he g rea t e s t common divisor of the polynomials
P(x)- y and x p - x.
P Is a permutatlan of GF(2"), the polynomial P(x) - y has a unique root
x = r i n GF( 2 " ) , and hence has a unique l i nea r f ac to r x - r over n
GP(2").
a l l the l i n e a r f a c t o r s x - a , with a E GF(2").
common d iv i so r of P ( x ) - y and x2
x - r such t h a t x = r Is the desired solution of the equation P ( x ) = y.
Thus t o solve the equat ion P(X) = y, it i s only necessary t o compute
t h i s g r e a t e s t common d i v i s o r . U s i n g the Euclidean algorithm t o do
t h i s , the r equ i r ed number of mult ipl icat ions and divis ions i n GP(2n)
is a t most aaoroximately ( d e ~ ( P ) ) ~ / i ! .
t ion P ( x ) = y can be soloed a lgebra i ca l ly using the method Jus t de-
scribed by doing a t most aparoxlmately 2(11/6)n-1 operations.
To see what t h i s accomplishs, note t h a t , s ince
On the o the r hand, the polynomial x2 - x is the product of
Hence the g r e a t e s t n - x i s exactly the l i n e a r f a c t o r
Thus we conclude t h a t the equa-
75
5. CrYDtanalysis by determinlnR a polynom.4al or r a t i o n a l formula for P"
Next, we cons ide r a method of cryptanalyzing the cipher t h a t con-
sists of de te rmining a formula for the deciphering pe rmuta t im P" by
using pub l i c i n fo rma t ion about the enciphering permutation P. We de-
sc r ibe two formulas f o r P'l t h a t can be determined t h i s way.
formula expres ses P" as a polynomial funct ion, while the second f o r -
mula expresses P'l as a r a t i o n a l funct ion, t ha t is, a s a q u o t i e n t of
two polynomial f u n c t i o n s . we descr ibe how each of these formulas can be
obtained and w e g ive estimates of t h e amounts of camputation needed t o
The f i r s t
do t h i s .
F i r s t , ta ined. I t
func t ion of
P - 9 Y )
we describe haw a polynomial formula f o r P" can be ob-
can be shown t h a t P - l can be expressed a s a polynomial
t h e form
where the c o e f f i c i e n t s "k are elements of GF(2"), the index set K is a
subset of the set € 0 , .. . , 2" - 13 which can be completely s p e c i f i e d ,
and the number of e lements i n the s e t K s a t i s f i e s zn/3 \ K \ 5 2 n/3+2.
This formula f o r p'' can be regarded a s a s y s t e m of 2" l i n e a r equa t ions
which uniquely de te rmines t h e c o e f f i c i e n t s wk i n the formula. By mak-
ing the s u b s t i t u t i o n y = P(x) i n t h i s formula, an equivalent system of
2" l i n e a r equa t ions can be obtained which have the form
Note t h a t t h i s second system of equat ions can be formulated us ing only
publ ic Informat ion about the enciphering permutation p. Since t h e
rank of t h i s second system is the same as the rank of the o r l g i n a l
system, which 5s \If\, and s i n c e \ K \ 4 2", it follows t h a t t h i s second
s y s t e m can be reduced t o a smal le r system formed from it by choosing
any subse t of \ K \ Independent equations. We w i l l assume t h a t such a
smaller system can be ob ta ined without any s i g n l f i c a n t computat ional
e f f o r t , which may w e l l be t he case. Then the determinat ion of t he
76
c o e f f i c i e n t s wk i n t h e polynomial formula f o r P" reduces t o s o l v i n g
t h i s smal le r s y s t e m of equat ions . This system cons i s t s of \K\ equa-
t i ons i n )K1 unhowns, so t o s a lve it r equ i r e s a t most approximately
IK] 3/3 opera t ions c o n s i s t i n g of mul t io l i ca t ions and d i v i s i o n s i n
CF(2").
approximately ( p ) / 3 o p e r a t i o n s t o solve f o r the c o e f f i c i e n t s wk, and
thus t o determine a polynomial formula f o r P-'.
Hence, s i n c e Kl >, zn/3, we conclude that it takes a t most
Next, we d e s c r i b e how a r a t i o n a l formula for P'l can be obta ined .
The r a t i o n a l formula t h a t we cons ider has the same form as t he r a t i o n a l
formula f o r P-l t h a t is ob ta ined by expanding formula (2.8) f o r P"(Y)
as a r a t i o n a l f u n c t i o n of y, making use of the polynomial formulas
(2.9) and (2.10) f o r the func t ions U i and Vi described i n s e c t i o n 2 ,
and exvress ing t h e func t ion M'l by the r a t i o n a l formula M'l(y) = y /y , where 5 = 2@'l( 2*8 + 2 p ) and 7 = 2P- l .
j u s t descr ibed has t h e form P - l ( y) = Q( y) /R( y) , where Q and R are both
nonconstant polynomial f u n c t i o n s , Q ( 0 ) = 0, and R(y) f 0 f o r a l l non-
zero y e CF( 2"). Furthermore, I t can be shown that- Q and R a r e gi-n
by polynomial formulas having the forms
The r a t i o n a l formula for P"
and
where the c o e f f i c i e n t s w ( k ) and w R ( k ) are elements of GF(2"), the
index se t s KQ and KR are s u b s e t s of the set [O, ..., 2" - 13 which can
be comnletely s p e c i f i e d , and the numbers of elements I n the sets Kg
and KR s a t i s f y 2n'3 5 \KQ\ 5 2n'3+3 + 64 and 4 < \ K R \ 6 16. Now i f
the formula P-'(y) = Q ( y ) / R ( y) i s rewr i t ten a s P-'( y)R( y) - Q( y) = 0,
i f t he s u b s t i t u t i o n y = P ( x ) is made, and i f the above polynomial f o r -
mulas f o r the f u n c t i o n s Q and R a re used, then the r e s u l t is the equa-
t i on
Q
77
which holds f o r a l l x E GF(2"). This equation can be regarded as a
system of 2" homogeneous l i n e a r eoustions that are s a t i s f i e d by the
elements wQ(k) and W R ( k ) and that can be formulated using only publ ic
Information about the enciphering permutation P. Conversely, I f a set
of elements w (k) and w R ( k ) of GF(2") forms a nonzero solut ion of t h i s
system of equat ions end I f the functions Q and B on GF(2") are defined
by the polynomial formulas given above, then the function R is not
i den t i ca l ly zero and P'l is given by the r a t iona l formula P"(Y) =
Q(y) /R(y ) f o r a l l y E GF(2") such tha t R ( y ) f 0. Thus a r a t i o n a l for-
mula for P'l can be obtained by fincling a nonzero solut ion of the SYS-
tem of l i n e a r equat ions given above, and furthermore such so lu t ions
ex i s t .
Q
Since the rank of t h i s system of 2" equations is at most
\IfQ\ + \KR\ - I, which i s l e s s than Zn, t h i s system can be reduced t o
a smaller system which has the same rank and consis ts of equations
chosen from the o r i g i n a l system. We w i l l assume t h a t such a smaller
system cons i s t ing of \xQ\ + \ K ~ I - 1 equations can be ob-
tained from the o r i g i n a l system nithout any s ignif icant computational
e f f o r t .
a r a t i o n a l formula fo r P'l reduces to solving t h i s smaller system of
\IfQ\ + \%\ - 1 l i n e a r equations In \K \ + \K,\ unknowns, which takes
a t most approximately ( \ K \ + \$\ ) 3/3 operations.
IK,1 + I % ] > 2n/3, we conclude that it takes a t most approximately
( z n ) / 3 operat ions t o determine a r a t iona l formula f o r p'l of t h e kind
described above.
Then the determination of the coeff ic ients wQ(k) and wB(k) I n
Q Hence, s ince Q
6. Cryptanalysis by f ind ing a traDdoor seauence
The l a s t method of cryatanalysis t ha t we consider cons i s t s of
using the publ ic key f o r a given enciphering permutation P t o d e t e r -
mine a trapdoor sequence f o r it. we consider two ways of f i nd ing such
a sequence: first by exhaustive search, and second by solving the
system of equa t ions (2 .6 ) a lgeb ra i ca l ly . We descr ibe haw each of t hese
approachs might be c a r r i e d o u t and we give e s t i n a t e s of the amounts of
comuutation required.
The most e f f i c i e n t exhaust ive search procedure f o r f ind ing a t r ap -
door sequence f o r P appears t o be as follows. F i r s t , choose the ele-
ments e l , e2 of t h e sequence t o be any convenient basis of GF(2S) over
GF(2y). Next, test one-by-one bases b l , ..., bq of G P ( P ) over GF(Zy)
un t i l a basis I s found which is the b l* ..., b4 pa r t of a t rapdoor
sequence f o r P whose e l , e2 elements a re the ones Jus t chosen. To
t e s t a given basis bl* ..., bq f o r t h i s property, l e t the GF(21/)-linear
func t ions T1 and T2 be def ined i n terms of bl, ..., b4, el , e2 as de-
scr ibed i n s e c t i o n 3 , end so lve f o r the c o e f f i c i e n t s bik in the poly-
nomial formulas f o r t h e s e func t lons given by equation ( 2 . 5 ) . N e x t ,
f i nd a l l the s a l u t i o n s for t h e elements aik In the system of equa t ions
( 2 . 6 ) . Note t h a t t hese s o l u t i o n s can be found by l i n e a r a lgeb ra , s inae
t h i s system Is l i n e a r i n the aik.
tem are then t e s t e d one-by-one to determine whether any of them is
such t h a t GF(2") can be expressed a s GF(2") = S1(GF(2')) + S2(CF(2')), where S1 and S2 are t h e GF(2 ) - l i nea r funct ions from GF(2") i n t o
GF(2") def ined i n terms of the elements aik by formula (2 .3 ) . Now the
bas i s b l , ... , b4, uhlch Is bein8 t e s t e d f a r t;le property of being the
b l , ..., b4 p a r t of a t r audaor sequence f o r P whose e l , e2 elements
a rc the mes ahosen. h a s t h i s property i f and only i f there e x i s t s a
s e t e lements aik t h a t s a t i s f i e s the system of equat ions (2 .5 )
and t h a t s a t i s f l e s the cand l t ion s t a t e d above. As soon as such a bas i s
bl, ..., b4 and a s a t of elements a ik has been found, a complete
trapdoor sequence f o r P e m be produced. The 01, ..., b4, e l , e2 p a r t
has a l ready been Qb ta lned , and the a l , ..., ab per t of the sequence is
given by a J = s l ( e j ) , f o r 1 = 1, 7 , and by a j = S 2 ( e j m 2 ) , f o r j = 3, 4,
where t h e f u n c t i o n s Si are as described above.
The so lu t ions , i f any, of t h i s sys-
Y
of
A minimal s e t qf beses bl, ..., bb t h a t i s c e r t a i n t o con ta in a
79
basis of the desired kind Includes, f o r each d i f f e ren t enciphering
permutation, exac t ly one basis t h a t Is the b l , ..., b4 part of a t rap-
door sequence for t he permutation whose e , , e, elements are the ones
chosen. I t can
l y 23n-3 bases,
f ind a trapdoor
acr I bed above.
A L
be shown t h a t such a set of bases contains approximate-
so a t m D s t approximately 2 3 - 3 t r i a l s a r e required t o
sequence f o r P by the exhaustive search procedure de-
I t appears l i k e l y t h a t , for each basis bl , ..., b4
t e s t ed , e i t h e r t he re is no solut ion a t a l l fo r the elements aik, o r
else the basis Is the bl , ..., b4 par t of a trapdoor sequence f o r P of
the desired kind and the re i s only one solution f o r the elements alk.
I n view of t h i s , re w i l l canslder the testing of a single basis as be-
ing a s ingle operat ion. Thus we conclude that a t most approximately
2%-3 operations a r e n q u i r e d t o find a trapdoor sequence f o r P by the
exhaustive search procedure described above.
Final ly , we consider f inding a trapdoor sequence f o r a given enci-
phering permutation P by m l v l n g algebraical ly f o r a s e t of elements
aik and blk of GF(2") s a t i s f y i n g the system of equations ( 2 . 6 ) .
we note the connection between solut ions of t h i s system of equations
and trapdoor sequences f o r P .
GP( Zn) s a t i s f i e s t h i s system of equations and i f CF( Zry)-l1near func-
t i ons Si and TI from G P ( P ) i n t o GP(2") are defined i n terms of these
elements by equat ions (2.4) and ( 2 . 5 ) . respectively, then P can h ex-
pressed In terms of these funct ions by equation (2.3). Furthermore,
there e x i s t s a t r a d o o r sequence for P which spec l f l e s these fUnCtlon8
If and only I f t hese funct ions s a t i s f y the conditions
l s f y these condi t ions and if el , e2 i s any basis of GF(26) over GF(2 1 ,
then a trapdoor sequence f o r p which specif ies these functions Is g1-n
by al, * * * 9
and, f o r j = 3, 4, a j = S 2 ( e j e 2 ) , and where, f o r j = 1, 2 , bJ Is t h e
I f the functions Si and TI sat- Y
b l V * . . T b4, e l , e2, where, for 3 = 1, 2 , a d = S l ( e j ) ,
80
u n i q u element of ker(T2) s a t i s f y i n g T l ( b j ) = e l , and, f o r j = 3, 4, b
lows t h a t the system of eauat ions (2.6) has many solutions f o r t he
elements aik and bik, since there Is a d i f f e ren t solut ion arising from
each d i f f e r e n t tramloor sequence for P having f i l e d el, e2 elements,
and there a re perhaps o the r so lu t ions as well t ha t do not a r i s e from
any traadoor sequence f o r p . we w i l l assume that a l l solut ions f o r
the elements aik and blk do I n f a c t a r i s e from trapdoor sequences f o r
P. Then, t o find a trapdoor sequence f o r P, it su f f i ces to f i n d a
s ingle solut ion oi the system of equations (2.6) f o r the elements aik
is the unique element of ker(T1) sat isfying T 2 ( b J ) = eJ-2. It f o l - l
and bike
In order t o es t imate the amount of computation requlred t o solve
t h i s system of equations a lgeb ra i ca l ly , I t is f i r s t necessary t o deter-
mine the most e i f i c i e n t method of algebraic solution. A s already
noted, t h i s system of equations is l i n e a r In the elements aik.
it appears that t h e most e f f i c i e n t way to solve t h i e system is t o first
simplify it as much as possible by eliminating these unknowns. This
I s exact ly the method t h a t uas used by Berkovits and by James, L i d l ,
and Nlede r re l t e r t o solve the corresponding system of equations asaoa-
i a t ed wlth the o r i g i n a l vers ion of our cipher. It was i n t h i s way t h a t
they broke t h a t c inher .
Hence
For the system of equations (2.6), there are many posslble ways
i n which the unlmoms air can be eliminated, and each of these ways
must be t r i e d i n order t o find the best way of simplifying the system.
Unfortunately, to t r y a l l t hese ways would require a forbidding amount
of camputation, although it could probably be done f a i r l y e a s i l y Using
a su i t ab le computer algebra system. To get around these d i f f i c u l t i e s
In analyzing t h i s system of equations, we consider instead a d i f f e r e n t
system of equat ions that presumably require8 l e s s computation t o solve.
T h i s system of equations is associated with a c l a s s of permutations of
GP( 2”) t h a t are somewhat simpler than the enciphering permutations used
81
i n our ciaher but which have the same general structure. These simpler
permutations are obtained by modifying the enciphering permutation con-
s t ruc t ion described i n sec t ion 2 by changing the relat ionship between
6 and Y from 6 = 2Y t o 8 = Y. The e f f ec t of t h i s change 1s t o convert
the polynomial formulas (2 .4 ) and ( 2 . 5 ) f o r the functions S i and Ti
from 2 t e rns t o 1 term and from 4 terms to 2 terms, respectively.
The r e s u l t i n g permutation p i s then given by a polynomial formula hav-
iw J u s t 4 terms, r a t h e r than 16 terms as in our cipher. The system
of equations t h a t mrresponds t o the system of equations (2.6) and t h a t
r e l a t e s the polynomial c o e f f i c i e n t s Pgh of P t o the polynomial coe f f i -
Now we aonsider how t h i s system of equations can be solved. Note
that, l i k e the more complicated system of equations (2.61, the above
system of equations I s l i n e a r i n the unknowns a10 and a20. Hence I t
appears t h a t the most e f f i c i e n t way t o solve t h i s system is t o first
simplify I t as much as possible by eliminating these unlmowns. Of t he
various uays t o do t h i s , the best way appears t o be one that leads
f a i r l y d i r e c t l y t o a s ing le polynomial equation B(B1) = 0 of degree
228 + 1 i n the s i r q l e unknown B1 = blo/bll.
of camnutation r equ i r ed t o solve t h i s equation is a t l e a s t the amount
required t o compute the g r e a t e s t camman divisor of the polgnomials
B(B1) and B12” - B1.
e t i ons , which is approximately d 2 / 3 I n - l operations.
amount as our est imate of the amount of computation required t o f i n d a
trapdoor sequence by solving the system of equations (2.6) a lgebra i -
cally.
I t appears t h a t the amount
This r equ i r e s approximately deg(R(Bl))2/ 2 opcr-
We wi l l take t h i s
An obvious quest ion n3w a r i s e s . Since the estimate J u s t given is
based s o l e l y on t h e p r o p e r t f e s of the corresponding system of tXlmtlons
f o r the slmbler permutations described above, why not use theee simpler
permutations as enciphering permutations? Unfortunately, t h i s cann3t
82
be done. The reason f o r t h i s i s tha t , for such enciphering permuta-
t ions. the deciahering permutations can be expressed by a r a t i o n a l
formula corresponding t o t h e r a t i o n a l formula described i n sec t lon 5
f o r the deciphering permutations used i n our cipher, and there are at
most 12 terms In t h i s formula. Thus, as indicated i n section 5 , t h e
coe f f i c i en t s i n t h i s formula can be determined by Qlng a t most approx-
imately 123/3 operat ions. T h i s number of operations Is f a r too amall
t o provide any s e c u r i t y , and hence the simpler permutations described
above cannot be used as enciphering permutations.
7. Summary of the c ryp tana ly t i c a t t a c k s and conclusions
The following t a b l e summarizes the estimates of the amounts of
camvutation required by the various aryptanalyt ic a t tacks discussed
in sect ions 4 - 6.
method of a t t a c k
1. solving the equation P(x)= y:
a. by exhaustive search 2 ( 3/4)n
2 ( 11/6)n-1 b. a lgeb ra i ca l ly
2. f inding a formula f o r P":
a. polynomial
b. rational
3. f inding a tramloor sequence:
a. by exhaustive search
b. a lgeb ra i ca l ly
According b the above t a b l e , the mast effect ive a t t ack
against our c ipher is t o solve algebraical ly f o r a trapdoor sequence
for the enciaherlng permutation. This a t t ack Is estimated to r e q u i r e
at most 2(2/3)n-1 operat ions, so the block-length n of the cipher must
be chosen so t h a t t h i s amount of mmputatlon Is unfeasible. we rill
a3
assume , somewhat arb1 t r a r i l y , t h a t the maximum feaai ble amount of
cornbutation is the number of operations performed by a computer that
does lo9 operat ions per second f o r a period of 10 years.
t o a t o t a l of 3 x lo1? operat ions. W e multiply t h i s by a sa fe ty f a c t o r
of 1012 t o a r r i v e a t the f i g u r e of 3 I: 1029 operations as an unfeasible
amount of mmDutation. Hence the block-length n must be such t h a t
2(2’3)n-1 2 3 x l o z 9 C 298.
length f o r bur cipher is n ? 150.
T h i s amounts
Thus we conclude that a su i t ab le block-
References
1. Shlmshon Berkovits (Uni. of Lowell, Dept. of Computer Science) , pr ivate communication, A u g . , 1985.
2. John J. Cade, A new public-key cipher which allows signatures, t a l k given a t the Second S.I.A.M. Conference on Applied Linear Algebra, Raleigh. NC, Apr. 30 - May 2 , 1985.
3. N. S. James, R . L l d l , and H. Niederrei ter , Breaking the Cade c iphe r , prear int , 1986.